Security-first by architecture,
not by afterthought

CSHUBB uses passwordless magic link authentication powered by Supabase Auth. When you log in, you enter your email and receive a one-time login link. Clicking it signs you in — no password is ever stored, transmitted, or exposed. Magic links are single-use and expire after a short window.

Supabase Auth verifies the token and issues a cryptographically signed JWT session stored in your browser. The JWT contains your email and org association only — never sensitive account data. Every API request validates this JWT server-side on every single call.

SSO (SAML/OIDC) is on the roadmap for a future plan. Currently, all authentication is via Supabase magic links. Contact support@cshubb.com to discuss custom identity provider integration.

Sessions are cryptographically signed JWTs with automatic expiry and refresh managed by Supabase Auth. CSHUBB does not use long-lived cookies that could be stolen via CSRF. Logging out invalidates the session server-side immediately.

Every workspace is scoped to a unique org_slug. Supabase Row-Level Security (RLS) policies are enforced at the PostgreSQL engine level — not in application code. Even an application-level bug cannot return another org's data. The database itself enforces isolation on every SELECT, INSERT, UPDATE, and DELETE.

RLS is a PostgreSQL feature that enforces data access policies at the storage layer, independent of the application. In CSHUBB, every authenticated JWT can only see rows where org_slug matches its own session. This is your last line of defence — it operates independently of application code and cannot be bypassed by software bugs.

All data is stored in Supabase (PostgreSQL) on AWS with AES-256 encryption at rest and TLS 1.2+ in transit via Cloudflare. Automatic backups and point-in-time recovery are provided by Supabase infrastructure.

CSHUBB has admin-level database access for maintenance purposes only. We do not actively monitor, read, or analyse individual workspace data. The service role key (which bypasses RLS) is stored exclusively in server-side Edge Functions and is never exposed to clients or logged.

New users require a valid invite code to join a workspace on first login. Invite codes are generated by workspace admins only. Without a valid code, first-time login is rejected — no self-service signup is possible. Admins can revoke codes instantly from Admin → Invite Codes.

Admin — full access: all modules, Admin panel, invite codes, user management, feature flags, org-wide AI key policy, webhook management, and bulk delete. The first user to create a workspace is automatically admin.

User (Member) — access to plan-enabled modules only. Cannot access Admin panel, delete accounts, or manage invite codes.

Admins revoke access from Admin → Users. Revoked users see a blocked screen on their next login. The user's is_suspended flag is set in the database and RLS policies deny all subsequent data access, even with a valid JWT.

AI prompts go directly from your browser to the AI provider API — they do not pass through CSHUBB servers at all.

• Groq — sent to Groq's API. Subject to Groq's data processing terms.
• Claude — sent to Anthropic's API using your own key.
• Gemini — sent to Google AI Studio API using your own key.
• LM Studio — runs 100% on your local machine. No data ever leaves your device.

Individual mode: Keys stored only in browser localStorage — never sent to CSHUBB servers, never logged, never stored in the database.

Org-wide key mode: Admin-configured key stored in Supabase, encrypted at rest, scoped to your org, protected by RLS. CSHUBB never logs or reads your keys.

Use LM Studio — available on the Growth plan and during the 15-day trial. Runs AI 100% on your local device — no internet connection required, no API key, no data leaves your machine under any circumstances. Zero external exposure.

Basic webhooks (Starter add-on / Growth included): HTTP POST with a unique secret token per endpoint. Pass in Authorization header to verify source.

HMAC-signed webhooks (Growth plan): Payloads signed with HMAC-SHA256. Signature included in X-CSHUBB-Signature header — verifiable by your receiving system to guarantee authenticity and detect tampering.

Webhook payloads contain account-level data only (name, CSM, tier, ARR, health score, status, custom fields). They never include user credentials, API keys, authentication tokens, or any sensitive system data.

• Supabase — PostgreSQL with built-in RLS, real-time subscriptions, and Auth on AWS with automatic backups.
• Cloudflare — CDN, DDoS mitigation, TLS termination. HTTPS enforced on all traffic.
• Edge Functions — Privileged server-side operations. Service role key never exposed to clients.
• Resend — Email delivery via custom domain mail.cshubb.com with full SPF, DKIM, and DMARC.

No. The Supabase service role key (which bypasses RLS) is used exclusively in Edge Functions running server-side. The client-facing app uses only the Supabase anon key, which is fully subject to all RLS policies.

• SOC 2 — access controls, audit logging, encryption at rest and in transit
• GDPR — data minimization, purpose limitation, right to erasure (user self-serve via Help & Feedback; org admins via Admin → Data & Privacy; all requests processed within 5 business days)
• ISO 27001 — ISMS through RBAC, encryption, and multi-tenant isolation

Found a security issue? Email security@cshubb.com. We aim to respond within 48 hours. Please don't publicly disclose until we've had a chance to fix it — coordinated disclosure lets us protect users before details are public. Full policy at cshubb.com/security.

For users: Profile drawer → Account Actions → ⚠ Request Account Deletion, or Help & Feedback → Request Account Deletion.

For org admins: Full workspace erasure can be triggered directly from Admin Panel → Data & Privacy — no email required.

All erasure requests are processed within 5 business days. You can also email support@cshubb.com directly.

Request User Erasure removes a single departing team member's personal data and access — useful when someone leaves your org and you want their footprint cleaned up without disturbing the rest of the workspace.

Request Full Workspace Erasure permanently removes the entire org's data — accounts, activity logs, AI history, settings, everything — typically used when an organisation offboards from CSHUBB entirely.

Both are submitted from Admin → Data & Privacy, routed directly to the CSHUBB team, and processed within 5 business days under the same encryption and audit-trail guarantees as every other request.